From b59d291c7922491c09de06b06c67a97fcf526c8b Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Sun, 26 May 2013 17:01:51 +0200 Subject: [PATCH] [utils] Ajout de verify-cn de squeeze MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sa sémantique nous convient mieux que celle de celui de wheezy (aka prendre en paramètre un CN et pas un fichier contenant un CN par ligne) --- utils/verify-cn | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100755 utils/verify-cn diff --git a/utils/verify-cn b/utils/verify-cn new file mode 100755 index 00000000..5d56d95a --- /dev/null +++ b/utils/verify-cn @@ -0,0 +1,52 @@ +#!/usr/bin/perl + +# verify-cn -- a sample OpenVPN tls-verify script +# +# Return 0 if cn matches the common name component of +# X509_NAME_oneline, 1 otherwise. +# +# For example in OpenVPN, you could use the directive: +# +# tls-verify "./verify-cn Test-Client" +# +# This would cause the connection to be dropped unless +# the client common name is "Test-Client" + +die "usage: verify-cn cn certificate_depth X509_NAME_oneline" if (@ARGV != 3); + +# Parse out arguments: +# cn -- The common name which the client is required to have, +# taken from the argument to the tls-verify directive +# in the OpenVPN config file. +# depth -- The current certificate chain depth. In a typical +# bi-level chain, the root certificate will be at level +# 1 and the client certificate will be at level 0. +# This script will be called separately for each level. +# x509 -- the X509 subject string as extracted by OpenVPN from +# the client's provided certificate. +($cn, $depth, $x509) = @ARGV; + +if ($depth == 0) { + # If depth is zero, we know that this is the final + # certificate in the chain (i.e. the client certificate), + # and the one we are interested in examining. + # If so, parse out the common name substring in + # the X509 subject string. + + if ($x509 =~ /\/CN=([^\/]+)/) { + # Accept the connection if the X509 common name + # string matches the passed cn argument. + if ($cn eq $1) { + exit 0; + } + } + + # Authentication failed -- Either we could not parse + # the X509 subject string, or the common name in the + # subject string didn't match the passed cn argument. + exit 1; +} + +# If depth is nonzero, tell OpenVPN to continue processing +# the certificate chain. +exit 0;